lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <cbcf0c58-b15f-c82d-1274-1a7d17d75799@iogearbox.net>
Date:   Thu, 21 Mar 2019 12:21:29 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Xu Yu <xuyu@...ux.alibaba.com>, bpf@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] bpf: do not restore dst_reg when cur_state is freed

On 03/21/2019 11:00 AM, Xu Yu wrote:
> Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug.
> Call trace:
>   dump_stack+0xbf/0x12e
>   print_address_description+0x6a/0x280
>   kasan_report+0x237/0x360
>   sanitize_ptr_alu+0x85a/0x8d0
>   adjust_ptr_min_max_vals+0x8f2/0x1ca0
>   adjust_reg_min_max_vals+0x8ed/0x22e0
>   do_check+0x1ca6/0x5d00
>   bpf_check+0x9ca/0x2570
>   bpf_prog_load+0xc91/0x1030
>   __se_sys_bpf+0x61e/0x1f00
>   do_syscall_64+0xc8/0x550
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> Fault injection trace:
>   kfree+0xea/0x290
>   free_func_state+0x4a/0x60
>   free_verifier_state+0x61/0xe0
>   push_stack+0x216/0x2f0	          <- inject failslab
>   sanitize_ptr_alu+0x2b1/0x8d0
>   adjust_ptr_min_max_vals+0x8f2/0x1ca0
>   adjust_reg_min_max_vals+0x8ed/0x22e0
>   do_check+0x1ca6/0x5d00
>   bpf_check+0x9ca/0x2570
>   bpf_prog_load+0xc91/0x1030
>   __se_sys_bpf+0x61e/0x1f00
>   do_syscall_64+0xc8/0x550
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> When kzalloc() fails in push_stack(), free_verifier_state() will free
> current verifier state. As push_stack() returns, dst_reg was restored
> if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg
> is also freed, and error occurs when dereferencing dst_reg.
> 
> Simply fix it by testing ret of push_stack() before retoring dst_reg.
> 
> Signed-off-by: Xu Yu <xuyu@...ux.alibaba.com>

Applied, thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ